https://bz.apache.org/bugzilla/show_bug.cgi?id=69326

            Bug ID: 69326
           Summary: Documentation for AuthName should note that nowadays,
                    browsers no longer display the "realm"
           Product: Apache httpd-2
           Version: 2.4.62
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_authn_core
          Assignee: bugs@httpd.apache.org
          Reporter: bugh...@gluino.name
  Target Milestone: ---

It seems that these days, browsers no longer show the "realm" string specified
by AuthName in the password dialog as this string is not trusthworthy:

See:

https://stackoverflow.com/questions/69303610/why-dont-modern-web-browsers-display-the-realm-value-for-http-authentication

"The reason is that this could be abused for phishing attacks, by putting some
misleading message into the realm. The login dialog for http authentication is
part of the trusted browser UI, and giving the server the opportunity to modify
that UI - even by just displaying text - is a security risk."

This fact should be noted in the documentation for

https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html#authname

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org

Reply via email to